Huntgroup Core Dump

[SS-T]

freeradius version 3.0.12

When huntgroups contains regular expression on Client-IP-Address, radiusd crashes inside paircompare

---- huntgroups ----
test Client-IP-Address =~ 127.0.0..*

---- core dump ----
#0 0x00007fe369fd76a2 in radius_compare_vps (request=0x1e5c000, check=0x1d898c0, vp=0x0) at src/main/pair.c:88
#1 0x00007fe365e23aee in genericcmp (instance=0x1d595e0, request=0x1e5c000, req=0x1e5c2b0, check=0x1d898c0, check_pairs=0x1d898c0,
reply_pairs=0x0) at src/modules/rlm_expr/paircmp.c:220
#2 0x00007fe369fd7d4c in radius_callback_compare (request=0x1e5c000, req=0x1e5c2b0, check=0x1d898c0, check_pairs=0x1d898c0,
reply_pairs=0x0) at src/main/pair.c:279
#3 0x00007fe369fd8382 in paircompare (request=0x1e5c000, req_list=0x1e5c2b0, check=0x1d898c0, rep_list=0x0) at src/main/pair.c:576
#4 0x00007fe368a7880d in huntgroup_access (request=0x1e5c000, huntgroups=0x1dbd0b0)
at src/modules/rlm_preprocess/rlm_preprocess.c:452
#5 0x00007fe368a78ff5 in mod_preaccounting (instance=0x1d3c580, request=0x1e5c000)
at src/modules/rlm_preprocess/rlm_preprocess.c:715
#6 0x00000000004292cc in call_modsingle (component=MOD_PREACCT, sp=0x1e43220, request=0x1e5c000) at src/main/modcall.c:302
#7 0x0000000000429a17 in modcall_recurse (request=0x1e5c000, component=MOD_PREACCT, depth=1, entry=0x7fffa8d2acb8,
do_next_sibling=true) at src/main/modcall.c:578
#8 0x0000000000429497 in modcall_child (request=0x1e5c000, component=MOD_PREACCT, depth=1, entry=0x7fffa8d2aca0, c=0x1e42ec0,
result=0x7fffa8d2ab88, do_next_sibling=true) at src/main/modcall.c:408
#9 0x000000000042a50a in modcall_recurse (request=0x1e5c000, component=MOD_PREACCT, depth=0, entry=0x7fffa8d2aca0,
do_next_sibling=true) at src/main/modcall.c:789
#10 0x000000000042b248 in modcall (component=MOD_PREACCT, c=0x1e41810, request=0x1e5c000) at src/main/modcall.c:1134
#11 0x000000000042683a in indexed_modcall (comp=MOD_PREACCT, idx=0, request=0x1e5c000) at src/main/modules.c:1028
#12 0x0000000000428be6 in module_preacct (request=0x1e5c000) at src/main/modules.c:2177
#13 0x000000000040efbc in rad_accounting (request=0x1e5c000) at src/main/acct.c:56
#14 0x000000000043e1a5 in request_running (request=0x1e5c000, action=1) at src/main/process.c:1527
#15 0x000000000043cee8 in request_queue_or_run (request=0x1e5c000, process=0x43e043 <request_running>) at src/main/process.c:1015
#16 0x000000000043ea25 in request_receive (ctx=0x1e5bdf0, listener=0x1e5acf0, packet=0x1e5be50, client=0x1d2e7f0,
fun=0x40ef84 <rad_accounting>) at src/main/process.c:1783
#17 0x0000000000418f49 in acct_socket_recv (listener=0x1e5acf0) at src/main/listen.c:1683
#18 0x000000000044592d in event_socket_handler (xel=0x1d30d20, fd=77, ctx=0x1e5acf0) at src/main/process.c:4585
#19 0x00007fe369d9af26 in fr_event_loop (el=0x1d30d20) at src/lib/event.c:641
#20 0x0000000000447754 in radius_event_process () at src/main/process.c:5658
#21 0x0000000000431927 in main (argc=2, argv=0x7fffa8d2b658) at src/main/radiusd.c:585

---- rlm_expr/paircmp.c ----
inside function "genericcmp"

217 /*
218 * Will do the xlat for us
219 */
220 return radius_compare_vps(request, check, NULL);

The NULL value will trigger the coredump in /src/main/pair.c
The NULL value will need to be replaced with 'req' and check NOT NULL

[SS-T]

The crash is on following line of pair.c, because the vp passed in from rlm_expr.c is NULL.
if (vp->da->type == PW_TYPE_STRING) {